go.lang.security.audit.net.pprof.pprof-debug-exposure

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
123,978
Download Count*
LGPL Commons Clause
License

The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use import "net/http/pprof". See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: pprof-debug-exposure
    metadata:
      cwe:
        - "CWE-489: Active Debug Code"
      owasp: A06:2017 - Security Misconfiguration
      source-rule-url: https://github.com/securego/gosec#available-rules
      references:
        - https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
      category: security
      technology:
        - go
      confidence: LOW
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Active Debug Code
    message: The profiling 'pprof' endpoint is automatically exposed on
      /debug/pprof. This could leak information about the server. Instead, use
      `import "net/http/pprof"`. See
      https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
      for more information and mitigation.
    languages:
      - go
    severity: WARNING
    patterns:
      - pattern-inside: |
          import _ "net/http/pprof"
          ...
      - pattern-inside: |
          func $ANY(...) {
            ...
          }
      - pattern-not-inside: |
          $MUX = http.NewServeMux(...)
          ...
          http.ListenAndServe($ADDR, $MUX)
      - pattern-not: http.ListenAndServe("=~/^localhost.*/", ...)
      - pattern-not: http.ListenAndServe("=~/^127[.]0[.]0[.]1.*/", ...)
      - pattern: http.ListenAndServe(...)

Examples

pprof.go

package main

import (
	"fmt"
	"log"
	"net/http"

	_ "net/http/pprof"
)

func ok() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "Hello World!")
	})
    // ok: pprof-debug-exposure
	log.Fatal(http.ListenAndServe("localhost:8080", nil))
}

func ok2() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "Hello World!")
	})
    // ok: pprof-debug-exposure
	log.Fatal(http.ListenAndServe("127.0.0.1:8080", nil))
}

func ok3() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "Hello World!")
	})

	mux := http.NewServeMux()
    // ok: pprof-debug-exposure
	log.Fatal(http.ListenAndServe(":8080", mux))
}

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprintf(w, "Hello World!")
	})
    // ruleid: pprof-debug-exposure
	log.Fatal(http.ListenAndServe(":8080", nil))
}